From Encrypting the Web to Encrypting the Net: 2018 Year in Review

From Encrypting the Web to Encrypting the Net: 2018 Year in Review

We saw 2017 tip the scales for HTTPS. In 2018, web encryption continues to improve. EFF has begun to shift its focus towards email security, and the security community is shifting its focus towards further hardening TLS, the protocol that drives encryption on the Internet.

By default, all Internet traffic is unencrypted and subject to tampering, including HTTP. A technology called TLS (Transport Layer Security) can provide authenticated encryption and message integrity so no one can mess with or listen in on your Internet traffic. Since 2010, EFF has been actively campaigning to encrypt the entire web—that is, for websites to adopt HTTPS, which is TLS added to HTTP. Due to the success we’ve seen on web, EFF is zooming out and tracking encryption of the entire Internet, starting with email.

Let’s take a closer look at what has happened this year in encrypting not just the web, but the entire Internet!

Continuing the Trend in Encrypting the Web

On the browser side, HTTPS Everywhere continues to see improvements in both user experience and security. With over a million daily active users and over five million downloads just this year, the extension is in a great position to provide more security features to users as HTTPS support continues to rise. The extension provides a more complete and up-to-date dataset of websites that support HTTPS, which can help navigate more severe security errors and help push insecure sites to make the move to HTTPS through user advocacy. We hope in the next year to provide a platform for users to encourage even more sites to support HTTPS.

Thanks to Let’s Encrypt and Certbot, it’s easier than ever to turn on HTTPS for your website. In February, we were excited that Let’s Encrypt had issued 50 million active certificates. Today, this number has reached 87 million! Certbot operates at a similar scale, with millions of users using Certbot every month to obtain and renew their certificates. And it’s continuing to improve—at the beginning of the year, a new version of ACME (the protocol that drives Let’s Encrypt and Certbot) was released, allowing website owners to obtain wildcard certificates in an easy and automated way.

And it’s not just EFF. The entire ecosystem is working together to make web more secure. In July, Chrome began marking HTTP sites as “not secure,” leading to a noticeable increase in worldwide HTTPS adoption. Hosting providers like GitHub Pages have started providing Let’s Encrypt certificates too, making “turning on HTTPS” a one-click process for their customers.

And these examples are just a couple small drops in a giant wave of HTTPS. The ecosystem is on board and as excited as we are to make the insecure web a relic of the past.

Onwards, Towards Encrypting the Net

Given the success in encrypting the web, EFF is broadening the scope of its mission to encrypting the entire Internet—starting with email. As of this year, Let’s Encrypt certificates are now trusted by all major root programs, meaning it’s trusted by major operating systems and devices, in addition to browsers. We can safely assume that every modern computing device has the means to authenticate a Let’s Encrypt certificate, so let’s get started!

This year, EFF rebooted STARTTLS Everywhere, an initiative to track the security of the email ecosystem. According to Google’s Transparency Report, approximately 90% of emails sent to or from Gmail are encrypted using STARTTLS. However, not only is STARTTLS vulnerable to a simple downgrade attack, but email has no widely-used TLS certificate authentication mechanism. This means it’s also vulnerable to on-path impersonation attacks. Similar to HTTPS Everywhere’s rulesets and the HSTS preload list on modern browsers, we’re maintaining and distributing a list of mailservers’ TLS information.

Certbot has also released someimprovements that make it easier to use with mailserver software.

And just a couple months ago, the Internet Engineering Task Force (IETF) published two RFCs (Request for Comments, typically documents that describe new Internet standards), MTA-STS and TLSRPT, which have been in the works since 2014. MTA-STS provides a way for mailservers to discover other mailservers’ TLS information, and TLSRPT closes an error-reporting feedback loop that may help lower breakages from TLS misconfigurations, thus lowering the risk of deploying new security standards.

Improving TLS

In the realm of Encrypting the Net, 2018 has also seen several improvements to TLS itself. The specification for TLS 1.3 has landed, making TLS way faster by shortening the initial handshake drastically, and hardening its security by enabling forward secrecy by default.

To work properly, TLS relies on third parties called Certificate Authorities (CAs) like Let’s Encrypt to behave. Certificate Transparency, a technology to dramatically increase CA accountability and auditability, has gained a lot of traction in 2018. Starting in April, Chrome started requiring Certificate Transparency for all newly issued certificates. Let’s Encrypt also rolled out full support by embedding Certificate Transparency proofs in their issued certificates.

Finally, we saw a number of experiments and continuing work with DNS-over-HTTPS, DNS-over-TLS, and Encrypted SNI, which help protect Internet-browsing metadata from being exposed to network eavesdroppers.

We’ve come a long way, but still have a long way to go. Let’s resolve to close the gap and really get “HTTPS everywhere” next year. Here’s to hoping 2019 will be as fruitful for Internet security as the past couple of years have been for web security.

This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2018.

Related Updates

Thanks to the success of projects like Let’s Encrypt and recent UX changes in the browsers, most page-loads are now encrypted with TLS. But DNS, the system that looks up a site’s IP address when you type the site’s name into your browser, remains unprotected by encryption. Because...

EFF, ACLU, and Stanford cybersecurity scholar Riana Pfefferkorn filed a petition in November 2018 asking a California federal court to make public a ruling that apparently denied a request by the Justice Department to force Facebook to break the encryption of its Messenger application in order to facilitate...

EFF is back this year at Vegas Security Week, sometimes affectionately known as Hacker Summer Camp. Stop by our booths at BSides, Black Hat, and DEF CON to find out about the latest developments in protecting digital freedom, sign up for our action alerts and mailing list, and...

Last week, news broke of a large financial settlement for the massive 2017 Equifax data breach affecting 147 million Americans. While the direct compensation to those harmed and the fines paid are important, it’s equally important to evaluate how much this result is likely to create strong incentives to...

Certbot has a brand new website! Today we’ve launched a major update that will help Certbot’s users get started even more quickly and easily. Certbot is a free, open source software tool for enabling HTTPS on manually-administered websites, by automatically deploying Let’s Encrypt certificates. Since we introduced it in...

San Francisco—The Electronic Frontier Foundation, ACLU and Stanford cybersecurity scholar Riana Pfefferkorn asked a federal appeals court today to make public a ruling that reportedly forbade the Justice Department from forcing Facebook to break the encryption of a communications service for users.Media widely reported last fall that a...

This week the federal Government Accountability Office (GAO) issued an update to its 2016 report on the FBI’s use of face recognition. The takeaway, which they also shared during a Congressional House Oversight Committee hearing: the FBI now has access to 641 million photos—including driver’s license and...

Fresno – On Wednesday, May 22, at 9 am, the Electronic Frontier Foundation (EFF) will argue that criminal defendants have a right to review and evaluate the source code of forensic DNA analysis software programs used to create evidence against them. The case, California v. Johnson, is on appeal...